Submitting a PKI Certificate Request 1225
n
■ Currently, up to two PKI domains can be created on a device.
■ The CA name is required only when you retrieve a CA certificate. It is not used
when in local certificate request.
Submitting a PKI
Certificate Request
When requesting a certificate, an entity introduces itself to the CA by providing its
identity information and public key, which will be the major components of the
certificate that the CA may issue to the entity. A certificate request can be
submitted to a CA in two ways: online and offline. In offline mode, a certificate
request is submitted to a CA by an “out-of-band” means such as phone, disk, or
e-mail.
Online certificate request falls into two categories: manual mode and auto mode.
Submitting a Certificate
Request in Auto Mode
In auto mode, an entity automatically requests a certificate through the SCEP
protocol when it has no local certificate or the present certificate is about to
expire.
Follow these steps to configure an entity to submit a certificate request in auto
mode:
Submitting a Certificate
Request in Manual
Mode
In manual mode, you need to retrieve a CA certificate, generate a local RSA key
pair, and submit a local certificate request for an entity.
The goal of retrieving a CA certificate is to verify the authenticity and validity of a
local certificate.
Configure the URL of
the server for certificate
request
certificate request url
url-string
Required
No URL is configured by default.
Configure the polling
interval and maximum
number of attempts for
querying the certificate
request status
certificate request polling
{ count count | interval
minutes }
Optional
The polling is executed for up to 50
times at the interval of 20 minutes
by default.
Specify the LDAP server ldap-server ip ip-address
[ port port-number ]
[ version version-number ]
Optional
No LDP server is specified by
default.
Configure the
fingerprint for root
certificate validation
root-certificate fingerprint
{ md5 | sha1 } string
Optional
No fingerprint is configured by
default.
To do… Use the command… Remarks
To do… Use the command… Remarks
Enter system view system-view -
Enter PKI domain view pki domain domain-name -
Set the certificate request
mode to auto
certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *
Required
Manual by default
To Next Page
Loading...
